There is a way to improve security (ciphers, like Content-Security-Policy in https headers by example).
Also, I've notice that each application have his own score which means that reverse-proxy configuration is not iso for each app ? Is it normal ?

Ans, So, each app get his OWN web server ? Okay so it's complicated to uniform the security policy easily...
Also, by example why allowing 3DES ? like DES-CBC3-SHA in all TLS version ?

EDIT : I think every app need to be at a A or A+ grade in order to be validated for cloudron.
Paperwork / Wallabag allow unsecure cookies by exemple :
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS

EDIT 2 : Sorry for the twin-post
Also, I'm just trying to follow up all the public recommandation from the french IT Sec agency

For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.